Security and Privacy

IRIS Connect has data protection, privacy and safety at its heart

We understand how important it is for you to protect and safeguard everyone in your community, which is why IRIS Connect ensures outstanding security. We have thought very carefully about our legal responsibilities and your peace of mind, building a system that’s rooted in data protection, privacy and safety.

Why are data protection, privacy and security so important?

Video is a powerful tool for accelerating teaching and learning, but it is vital that the students featured in a lesson recording are appropriately protected at all times.

A school leader who purchases a system that does not meet basic data protection requirements exposes the school to a range of significant liabilities.

What questions should I ask?

Our platform is designed to be a safe professional learning community, but not all video technology providers prioritize your safety in the same way. Not everyone abides by the relevant legal frameworks and some don’t even provide very basic security measures.

Here are a series of basic questions you can use to help establish whether a video system puts your security first.

These considerations will help you check whether a provider is aware of the legal framework that schools have to operate within, provides an agreement that meets it and can look after your data in such a way that it will not be lost or accessed by others.

Questions for cloud-based solutions

You must choose a data processor that provides sufficient guarantees about its security measures to protect the processing it will do for you

You must take reasonable steps to check that those security measures are being put into practice

IRIS Connects stores all data within a world-class environment trusted by numerous government and public sector organizations to store highly sensitive data. The environment utilizes state-of-the art network security, electronic surveillance, physical security and multi-factor access control system to protect client data. The data centers are staffed 24×7 by trained security teams. This environment has qualified for the following assurance programs:

The IRIS Connect system is based on individual user accounts and permissioning, where each user has their own personal username and password for their account in our platform.

Each account is linked to an email address, which needs to be verified. Further passwords cannot be reset by the Organization Administrator nor email addresses changed to gain access through the ‘forgotten password’ process.

The entire IRIS Connect platform (including the login page) uses SSL (https) to protect against ‘man in the middle attacks’ and ensure that users’ account credentials and data are sent securely through the latest industry standards.

It is not only important to monitor data transfer and storage but also the deletion of data, where data are deleted from a live system, it should also be deleted from any back-ups as well.

Customer data (financial) will be retained in line with local legal frameworks.

Customer data (non-financial) will be disposed of following termination of license. Our secure data center employs industry standard procedures on the decommissioning of its storage devices at the end of their useful life.

Deleted data will be stored for 3 months in case the customer needs to retrieve it. The back-ups will be stored for a further 6 months before being destroyed.

There are certain occasions when information needs to be preserved beyond this limit, such as in the following circumstances: • Legal proceedings or a regulatory or similar investigation or obligation to produce information are known to be likely, threatened or actual• A crime is suspected or detected• Information is relevant to a company in liquidation or receivership, where a debt is due to IRIS Connect• In the case of possible or actual legal proceedings, investigations or crimes occurring, the type of information that needs to be retained relates to any that will help or harm IRIS Connect or the other side’s case or liability or amount involved

Utilizing independent services ensures that a wider analysis of the system is taking place, which can be important in introducing updated processes and highlighting weaknesses that might not be forthcoming from an internal review.

This alternative perspective review will assist in identifying any practices that could cause security, storage or usability issues.

IRIS Connect have partnered with ‘Well-Typed’ who are independent development consultants who regularly provide input and advice into the latest industry standards and best practice processes that are then incorporated into our new feature and security developments and infrastructure maintenance to provide the best experience for our users.

Collecting and storing your data in a system involves financial, time and process investment and often this stored data is irreplaceable. This investment needs to be protected and if a recovery is required, the service provider must ensure they are able to restore this without alteration from a back-up.

By using Amazon S3 infrastructure IRIS Connect are able to ensure that all data stored in the web platform is backed up on an hourly basis.

The service provider needs to demonstrate and provide evidence that their services are reliable, supported and will be able to meet your service needs.

IRIS Connect utilizes market leading services (Amazon S3) for data processing and storage. We regularly and automatically utilize their scaling infrastructure to deal with increases in service traffic.

IRIS Connect have provided 99.9% service uptime in the last 18 months during core operating hours (6am-4pm Pacific Time).

IRIS Connect provides free full support to all customers, enabling us to quickly resolve any issues logged. This is provided Monday – Friday between 6am-4pm Pacific Time.

Questions for local network-based solutions

Sensitive data needs to be secured both physically and digitally to safeguard against theft.

Further, the data needs to have a reliable, regular back-up; ideally to an off-site location in the event of a fire / flood etc.

IRIS Connect is a fully cloud-based solution with no devices permanently storing files.

For full user control and data security, videos are never stored on individual devices or local servers. Instead, they are encrypted, immediately uploaded to our platform and automatically deleted from the device they were recorded on.

The platform is designed to ensure that data remains in the secure, password protected environment, including adding Editing and Groups for cross-organizational sharing and not enabling the downloading of sensitive data to local devices.

The use of passwords as a secure authentication step to safeguard data stored on the system will be compromised if the passwords are not stored in an encrypted format. This presents a security risk. When passwords are stored in an encrypted format, they will be useless if someone manages to gain access to them.

CE marking is a mandatory conformity marking for certain products sold within the European Economic Area (EEA) since 1985. The manufacturer has to take certain obligatory steps before the product can bear CE marking, including a conformity assessment, setting-up a technical file and signing a declaration stipulated by the leading legislation for the product. The documentation has to be made available to authorities upon request.

All devices supplied by IRIS Connect are CE marked and have gone through independent testing to ensure they are inline with EEA product safety legislation.

IRIS Connect allows teachers to upload classroom video to our secure platform where they can share it with other educators at their school and other approved education organizations, so they can collaborate and learn from each other.

These videos often include students as they interact with the teacher and their peers in the classroom. Teachers are completely in control of these videos – only they can decide which educators can see them. IRIS Connect will not share these videos with third parties.

IRIS Connect provides a secure, online platform for professional learning to a closed community of education professionals. Recordings can only be shared by your child’s teacher to users and groups that the school has approved.

Teachers use IRIS Connect to record their classroom teaching so that they can be continually improving their instruction and meeting the learning needs of your student. Your student may be recorded in the classroom as they are learning.

Only educators with authorized accounts can access videos on the IRIS Connect platform. IRIS Connect never shares classroom videos with any third party in normal use. There are certain occasions, such as when a crime is suspected, in which IRIS Connect would comply with the law to release data if requested with appropriate authority.

IRIS Connect does not enable the downloading of video content from the platform. When a video is downloaded, control of it could be lost with copies being made or it being uploaded to public access website. IRIS Connect has developed its platform to make it the safest and most secure environment for teachers to participate in video-based PD. In controlled circumstances and with appropriate authorization, downloading of a video is permitted, for example when evidencing teaching for a professional certification.

Our platform is designed with your security and privacy at its heart. You’ll be given your own password protected account on our cloud-based server, where any videos that you record will automatically be uploaded. This ensures video security, avoids storage problems and allows you to access your videos at any time and from anywhere.

When using IRIS Connect, you have complete control over who sees any of the videos that you create, sharing them with only individuals or groups that you choose. You also have the ability to delete or remove sharing privileges as you wish.

The IRIS Connect platform provides an anonymization tool to further protect data. This feature enables easy anonymization of any reflection, which you can apply before sharing with colleagues.

Notified of Breach (Discovered or informed)

Containment/Recovery

Inform relevant Senior Management

Ascertain breach status

Ascertain if Law Enforcement should be notified

Recover or limit/damage from the breach

Investigation

Investigate : type of data, its sensitivity, what protections are in place (e.g. encryption), what has happened to the data, whether the data could be put to any illegal or inappropriate use, how many people are affected, what type of people have been affected (the public, suppliers etc) and whether there are wider consequences to the breach.

Investigation should be completed urgently and wherever possible within 24 hours of the breach being discovered/reported. A further review of the causes of the breach and recommendations for future improvements can be done once the matter has been resolved.

Notification

Assess and notify which relevant parties should be notified of the breach.

Review & Evaluation

Conduct a full review of the causes and effectiveness of the response to the breach complied and reported to the board of Directors.